CVE-2023-22643— libzypp-plugin-appdata: potential arbitrary code execution via shell injection due to `os.system` calls

CVSS 6.3 · Medium EPSS 0.17% · P38 Updated Mar 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-22643

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

libzypp-plugin-appdata: potential arbitrary code execution via shell injection due to `os.system` calls

Source: NVD (National Vulnerability Database)

Vulnerability Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in libzypp-plugin-appdata of SUSE Linux Enterprise Server for SAP 15-SP3; openSUSE Leap 15.4 allows attackers that can trick users to use specially crafted REPO_ALIAS, REPO_TYPE or REPO_METADATA_PATH settings to execute code as root. This issue affects: SUSE Linux Enterprise Server for SAP 15-SP3 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426. openSUSE Leap 15.4 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

SUSE Linux Enterprise Server 操作系统命令注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

SUSE Linux Enterprise Server是德国SUSE公司的一套企业服务器版Linux操作系统。 SUSE Linux Enterprise Server 存在操作系统命令注入漏洞。目前尚无此漏洞的相关信息，请随时关注CNNVD或厂商公告。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
SUSE	SUSE Linux Enterprise Server for SAP 15-SP3	libzypp-plugin-appdata ~ 1.0.1+git.20180426	-
openSUSE	openSUSE Leap 15.4	libzypp-plugin-appdata ~ 1.0.1+git.20180426	-

II. Public POCs for CVE-2023-22643

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-22643

请登录查看更多情报信息。

Same Patch Batch · SUSE · 2023-02-07 · 9 CVEs total

CVE-2022-43757	9.9 CRITICAL	Rancher: Exposure of sensitive fields
CVE-2022-31254	7.8 HIGH	rmt-server-pubcloud allows to escalate from user _rmt to root
CVE-2022-43758	7.6 HIGH	Rancher: Command injection in Git package
CVE-2022-31249	7.5 HIGH	[RANCHER] OS command injection in Rancher and Fleet
CVE-2022-21953	7.4 HIGH	Authenticated user can gain unauthorized shell pod and kubectl access in the local cluster
CVE-2022-43759	7.2 HIGH	Rancher: Privilege escalation via promoted roles
CVE-2022-43755	7.1 HIGH	Rancher: Non-random authentication token
CVE-2022-43756	5.9 MEDIUM	Rancher/Wrangler: Denial of service when processing Git credentials

IV. Related Vulnerabilities

Same vendor: SUSE

Same weakness: CWE-78

V. Comments for CVE-2023-22643

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-22643— libzypp-plugin-appdata: potential arbitrary code execution via shell injection due to `os.system` calls

I. Basic Information for CVE-2023-22643

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-22643

III. Intelligence Information for CVE-2023-22643

Same Patch Batch · SUSE · 2023-02-07 · 9 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-22643

Leave a comment